To protect a Splunk Free (no authentication) installation, there are a few options:
1. Block the Splunk network port, only allowing connections via SSH port-forwarding: http://eyeis.net/2012/07/securing-splunk-free-version-when-installed-on-security-onion-server-or-anywhere-else/ 2. Create a reverse proxy using your own authentication source: http://www.staze.org/proxy-splunk-behind-apache-2-2/ Security Onion can receive logs from OSSEC agents or anything that can send standard syslog, analyze them and display alerts with: - Sguil client - Squert web interface - Splunk - not included in Security Onion, but can be installed, also see Brad Shoop's Splunk App for Security Onion: http://splunk-base.splunk.com/apps/45784/security-onion ELSA is a nice open-source competitor to Splunk and it will be added to Security Onion soon. I highly recommend using OSSEC agents where possible as they: - are cross-platform - very lightweight - in addition to log management/analysis also give you file integrity checking, rootkit detection, and other controls Hope that helps! Thanks, Doug On Tue, Jul 10, 2012 at 10:28 PM, Guillaume Ross <[email protected]> wrote: > Hi guys, > > http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree > > Quote: > > What does no authentication and access controls mean? > > • There is no login. The command line or browser can access and > control all aspects of Splunk with no user/password prompt. > > This can lead to issues such as this: > > http://averagesecurityguy.info/2012/04/12/pwning-a-splunk-server/ > > So I would say the Free one is really for testing/playing, but not suitable > at all for "real work". The good news is Splunk is relatively affordable > compared to other "enterprise" solutions. > > -GR > > On 2012-07-10, at 9:53 PM, Matthew Perry wrote: > >> I am going to jump on the bandwagon for splunk as well. I have used the >> universal forwarder on windows and linux and they are very lightweight. >> >> - Matt >> >> On Tue, Jul 10, 2012 at 9:38 PM, anthony kasza >> <[email protected]>wrote: >> >>> The time between polling is configurable. >>> I too prefer agents as it takes the resource burden away from a single >>> machine and provides real time log collection. Installing agents isn't >>> always the best solution, however. >>> I've been told that Splunk agents (known as Universal Forwarders) have >>> a minimal resource footprint but I have never used one. >>> >>> -AK >>> >>> On Tue, Jul 10, 2012 at 8:04 PM, Champ Clark III <[email protected]> >>> wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 7/10/12 8:50 PM, anthony kasza wrote: >>>>> Conceptually similar to SNMP, but not the same. You configure >>>>> Splunk with a service account. Periodically, Splunk will login to >>>>> those designated systems and collect WMI information. The service >>>>> account needs the proper rights and privileges to read WMI on each >>>>> system. >>>> >>>> Thank you. I was using SNMP-trap in my example, but that was >>>> incorrect. SNMP is a better analogy. >>>> >>>> That's the way I was told WMI, which I've never used, worked. How >>>> often does polling typically take place? I assume that configurable? >>>> >>>> I typically don't like systems that have to manually "poll" for logs. >>>> Hence the reason I believe loading the agent is better. However, >>>> the downfall of that is... well... you have to load the agent... Some >>>> organizations/people don't like that idea either. >>>> >>>> >>>> - -- >>>> - - Champ Clark III ([email protected]) >>>> Quadrant Information Security (http://quadrantsec.com) >>>> Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A >>>> GPG Key ID: 0381878A >>>> >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) >>>> Comment: GPGTools - http://gpgtools.org >>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>> >>>> iQEcBAEBAgAGBQJP/NEzAAoJENnmXt7Lmc3KLcYH/ihIDmKtJfbgSdlFMwRVI9j9 >>>> I41Kcpz1cvL817VhgY0mv4uKYNnQ4laSrRYHkAhI4bkIVRkGOV3aEez8vl/0t83R >>>> z5z1Bdr0T/+VNDLAuJRM3AqlUn6BPQ/8Z7WRBKAyJ0PZZiSwcxWvWRNhRvrBRczS >>>> 086j0hIoDQr/K/3yIwJnvbk+5bcgRqSfsv7B3Etaz/OKoYCcN/TRGu8+pjMeRF1g >>>> D+f7x/jPpzhGTlc/JIMS1EnBIqq8YEjJ34IJuoT7vK+HSx5mJ1sGiP+aO6X23YJ6 >>>> Xzv7y9Dfq1dFB4ZmmUj7LVA/4wDLAbi5OQIqkpTd/2oQMjtHj2mA6zWhb8PVCz4= >>>> =6QkV >>>> -----END PGP SIGNATURE----- >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> >> -- >> Matthew Perry >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Doug Burks http://securityonion.blogspot.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
